File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes Two-way SSL authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Two-way SSL authentication" Watch "Two-way SSL authentication" New topic
Forums: Web Services Security
Author

Two-way SSL authentication

Matt Dalen
Greenhorn

Joined: Aug 22, 2012
Posts: 12
Hi,

I'm trying to call a web service run by an outside company. I've done server-side SSL authentication before, but this is the first time I've been asked to do two-say authentication, and I'm having trouble getting it to work. I'm receiving their cert properly, and I think my keystore is properly built to include both the private key and the cert (I used keytool to import them from a PKCS12 file into a JKS file). But I'm still receiving an error when I try to send information - the server folks say they're not receiving a client cert.

Here's my test code that sends the message:



Any suggestions for ways to solve this, or avenues of investigation?
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9317
    
109

Is there anything in the SSL debug logs (http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)?

[My Blog] [JavaRanch Journal]
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9317
    
109

Matt Dalen wrote: But I'm still receiving an error when I try to send information - the server folks say they're not receiving a client cert.


It's hard to say without looking at the actual error (if any), but I just found this long discussion thread about 2 way SSL and thought you might want to just check some of the points mentioned there http://www.coderanch.com/t/496594/Web-Services/java/ssl-working-bad-certificate
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 960
    
  10

Matt Dalen wrote:and I think my keystore is properly built to include both the private key and the cert


I hope not. If they have given you their private key their site is seriously compromised! You only need their CA signed certificate.

<edit> On re-reading I may have misunderstand where the PKCS12 file comes from. If it is one you generated for the client side authentication then the above does not apply but of course the certificate contained in the PKCS12 file must be signed by a CA that the server recognises.
Matt Dalen
Greenhorn

Joined: Aug 22, 2012
Posts: 12
Jaikiran Pai wrote:Is there anything in the SSL debug logs (http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html)?


Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.

Richard Tookey wrote: <edit> On re-reading I may have misunderstand where the PKCS12 file comes from. If it is one you generated for the client side authentication then the above does not apply but of course the certificate contained in the PKCS12 file must be signed by a CA that the server recognises.


Yes, this is the pkcs12 file we generated for client-side authentication. However, I think you're right that it's an issue with the CA not matching.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6657
    
    5

Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.


From what I understand, one of the issuers on the cert chain is unavailable for verification on your client side trust store. For example - The root CA for github is DigiCert. If DigiCert is unavailable in the trust store, any communication between you and github will fail with a SSL error saying the CA cannot be verified.

To fix the problem (if that is the problem) import the CA's cert into your trust store. Who is the CA ? Is the certificate self signed ?

[EDIT]

My assumption here is that the error you are talking about came from not trusting the cert presented by the server. Please post the SSL debug logs and we can help you further.


SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Matt Dalen
Greenhorn

Joined: Aug 22, 2012
Posts: 12
Deepak Bala wrote:
Thanks! That helped a lot - I *think* it's actually an error in the cert file I was given. If I'm reading the logs right, the issuer on the cert file doesn't match the list of valid cert authorities they accept.


From what I understand, one of the issuers on the cert chain is unavailable for verification on your client side trust store. For example - The root CA for github is DigiCert. If DigiCert is unavailable in the trust store, any communication between you and github will fail with a SSL error saying the CA cannot be verified.

To fix the problem (if that is the problem) import the CA's cert into your trust store. Who is the CA ? Is the certificate self signed ?

[EDIT]

My assumption here is that the error you are talking about came from not trusting the cert presented by the server. Please post the SSL debug logs and we can help you further.


I was able to track down the issue - I was given the wrong cert, which is why the issuer didn't match. Thanks for everyone's help!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Two-way SSL authentication
 
Similar Threads
Plain socket to SSL
regarding cacerts from JAVA_HOME\jre\lib\security
java program to add digital signature into a pdf file
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites whi
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure